CVE-2026-27205
MEDIUMCVSS v3
4.3
MEDIUM
EPSS Score
0.0%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk d
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 2/21/2026
- Last Modified
- 2/24/2026
Frequently Asked Questions
What is CVE-2026-27205?
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk d
Is CVE-2026-27205 actively exploited?
Active exploitation of CVE-2026-27205 has not been confirmed. The EPSS score is 0.0%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2026-27205?
CVE-2026-27205 has a CVSS v3 base score of 4.3 (MEDIUM severity), with vector string 3.1.
Is CVE-2026-27205 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.